-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Peter,
Peter Crowther wrote: |> From: Christopher Schultz [mailto:[EMAIL PROTECTED] |> <tents fingers>The internal IP address of the server is ... |> 192.168.1.100! Nobody would have ever guessed that! |> Excellent! Now I can |> take over the world! Muahahaha!</tents fingers> | | *Chuckle* Chris, all you need now is the white cat and the secret base in the garden shed. | | You might not be able to take over the world, but you might be able | to take over the server more easily if you can crack something else | on the same internal network. Absolutely, especially if there is either no firewall or one configured poorly or a foolish TCP/IP stack, you could forge an internal IP address as the source for a request that originates externally. If special services (like SHUTDOWN) are accepted without authentication from local addresses, you've got yourself a problem. | The OP's correct that it's an information disclosure vulnerability, | though I'm not sure whether it's present in Tomcat's error pages. | Certainly if you're going through the checklist of "generic" vuls so | that you can demonstrate your installation is hardened against those | attacks, it's fair to ask whether Tomcat's susceptible. I just couldn't resist. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgsX4MACgkQ9CaO5/Lv0PCiUACfVisrtn47r3oOE4GNJ1mtrhr3 TosAn3/yJmSbIKJGVGkrxKbQHLifaXAa =vrU/ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: [email protected] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
